You know how you’ve been meaning to update your passwords? Today’s really the day to do it.

On Monday, security researchers found an issue so scary they called it “Heartbleed.” It’s a flaw in an encryption tool used by about two-thirds of Internet servers that could be exploited to leak your login names and passwords.

Check site security before changing your password
It’s not clear exactly which services were impacted, or what passwords may have been compromised. But if you have an account on Yahoo, OKCupid or Github—three popular sites known to have had the vulnerability (and patched it)—you should change your password on them as soon as possible.

Other big Web companies are taking steps to fix the problem. You can check if a service has updated its security by typing in its domain name at https://www.ssllabs.com/ssltest.

If everything’s green, it has probably been fixed and you are clear to change your password. If the site is not in the green, hold off. Changing your password on vulnerable sites would either have no impact, or could potentially expose your new password.

Even without Heartbleed, passwords have never been more vulnerable, and you should change them for important accounts every 90 days.

Here’s what else you need to know today:

Turn on two-factor authenticationBeyond using fresh passwords, it’s now important to adopt an additional defense, available on a growing number of sites, called “two-factor authentication.” (It also goes by “second factor,” “login verification” or by branding such as, in Bank of America’s case, “SafePass.”)

This option, now offered by many email services, banks and social networks, sends you a one-time code (usually via text message) every time you (or anyone else) tries to log into your account. You’ll need to type in that code to access your account.

Use at least five different passwordsThe biggest mistake you could make is choosing the same password for everything. If your password gets compromised on one site, someone might try to use it elsewhere.

Instead of trying to keep track of unique passwords for every site, memorize groups of them. Start with five key categories: banking, email, social networking, shopping and, finally, sites you visit very infrequently. Within those categories, you can make each password more unique by tacking on a character or two at the end specific to a site, like AZ for Amazon.com.

If there’s a breach in, say, one of your retail sites, you should immediately change all of the passwords in that group, though this strategy may have bought you a little time.

A file photo dated Jan. 23, 2012 shows a silhouetted face in front of a computer screen with a fictional password input field in Hanover, Germany.

European Pressphoto Agency/Julian Stratenschulte

Choose strong passwordsWhat counts as strong? Longer is better; you’ll want passwords at least six to eight characters long that include numbers and characters. If your password appears on lists that hackers have exposed, you’ll need to start over.

Pet and family names are also a bad place to start because criminals might have access to your personal information. They might even be looking at your Facebook posts.

Unfortunately, sites and apps all have different standards. They also have different rules about the number and kinds of characters they’ll allow—some, for example, won’t accept uppercase, while others require it. A friend recently made a project of changing passwords on all 129 accounts in his life, and was ready to pull out his hair when he discovered one site would not accept the ampersand, while another wouldn’t accept a dollar sign.

It’s especially important to have unique passwords for email accounts, because hackers with access to your email can use it to initiate a “forgot my password” recovery process for other sites.

Some people also intentionally give incorrect answers to security-challenge questions on sites—What was your first car? What was the name of your first pet?—so that criminals with information about you still can’t guess the right answer.

There’s help to rememberWriting down your passwords on something you keep in your wallet could put them at risk. But it is better to choose stronger passwords that you keep written in a safe place than to choose easily cracked ones that you memorize.

There are good ways to remember longer passwords, however.

The most basic trick is mnemonics. For example, choose passwords based around a phrase or random assortment of words you can remember. Or, use the first letter of every word from the phrase as your password. So, “I Left My Heart In San Francisco,” could be “ILMHISF.”

Don’t just stick to phrases and words that are true in your life. You can also remember phrases that are fabrications, like the wrong name for your dog, that criminals are less likely to guess.

Finally, some people invest in password manager services and apps, such as LastPass, PasswordBox and 1Password, which keep track of passwords and suggest especially strong ones.

Some security experts, though, warn against creating a single point of potential failure with all your passwords, especially if the service stores your passwords remotely. Still, they’re safer than just using “1234” or “password.”

What’s your best password trick? Share it in the comments or on Twitter at @geoffreyfowler.

Note: This post has been updated to emphasize the importance of checking sites before you change passwords.